CTAB call of August 25, 2020
Attendees:
- David Bantz, University of Alaska, Chair
- Brett Bieber, University of Nebraska
- Tom Barton,
- Rachana Ananthakrishnan, Globus, University of Chicago
- Richard Frovarp, North Dakota State
- Pål Axelsson, SUNET
- Eric Goodman, UCOP - TAC Representative to CTAB
- Chris Whalen, Research Data and Communication Technologies
- John Pfeifer, University of Maryland
- Robert Zybeck, Portland Community College
- Jon Miner, University of Wisc - Madison
- Marc Wallman, North Dakota State University , InCommon Steering Rep, ex-officio
Internet2
- Kevin Morooney, Internet2
- Ann West, Internet2
- Albert Wu, Internet2
- Emily EIsbruch, Internet2
- Johnny Lasker, Internet2
Regrets
Chris Hable, University of Michigan
Ercan Elibol, Florida Polytech Institute
Jule Ziegler, Leibniz Supercomputing Centre
- Mary Catherine Martinez, InnoSoft (vice chair)
Discussion
Welcome Johnny Lasker, Internet2, a new member of Nic Roy’s InCommon Operations team
- Johnny will be working on Baseline Expectations implementation
Final review of Baseline Expectations v2 and BE implementation guide
For BE V2 Main document:
- Formatting questions around bullets
Decision: nested bullets help with clarity
Security statements under generally accepted security practice statement
For BE v2 Implementation Guide
- As discussed at last call: For the secure endpoints Baseline Expectation, “Must or Shall” instead of “should” meet score of A on SSL Labs
- Noted that SSL labs changes the criteria for an A
- What is the timeframe for meeting A when SSL labs makes a change?
- If a broad exception becomes warranted, we can make up a process to accept a “B” for a period of time
- EricG spoke with colleagues, most UC campuses can handle exception cases on machine by machine basis, can configure networking to allow for some IPs and not others, there is a big tech support commitment if we are going to talk to institutions running the TLS needed for possible exceptions
- Tools
- OWASP guidance: Suggestion to remove or relocate in the document
- OWASP TLS cheat sheets are a helpful resource
- Move to 2nd paragraph, for additional info
- Can also add OWASP as a footnote
- QUALYS SSL Labs is promising, but there is some chance InCommon operations will need to use a different tool for testing
- If InCommon can’t use QUALYS SSL Labs, it will be necessary to do some mapping of the requirement to another tool's results
- Text does not have to describe exactly what the Federation Operator (Internet2) will do
- InCommon operations checking for SSL lab grade will need to be async
- 90 day remediation period
- Questions about dispute resolution process and 90 day remediation period
- Changed 90 day period in some places to “mutually agreeable plan and timeframe” in the implementation document
- Question: Is this 90 days outside of the 90 days in the dispute resolution process? https://www.incommon.org/federation/dispute-resolution
- Answer: yes, the 90 days in the BEv2 implementation document is outside of the 90 days in the dispute resolution process
- Albert: every time SSL Labs changes the grading criteria, it will potentially invalidate all previous testing scores
- We don’t want a big chunk of the federation participants in “dispute resolution” whenever there is an SSL Labs grading change
- Next Steps
- Hope to announce BEv2 at Base CAMP, Nov 16, 2020
- To provide enough time for consultation and InCommon steering voting, we need to publish these in one week.
- Decision: hold an extra CTAB meeting in one week, on Tuesday, Sept. 1, to get thru the rest of this document
Not discussed on this CTAB call due to lack of time
- BE Implementation Project Plan
- BE Impact statement (for Steering)
- Communicating with community - signal end of consensus process
- BE outreach team - should we have one?
- Based on BE1 experience, what should we do differently this time? What should we repeat?
- Future presentations:
- CAMP , Nov 16-17, 2020
- TechExtra / ACAMP Nov 18-20, 2020
- https://incommon.org/academy/camp-meetings/2020-virtual-camp-and-advance-camp/
Upcoming CTAB calls
- Additional CTAB Call to finish work on Baseline Expectations v2 implementation guide document :
- Tuesday, September 1, 2020
- Next regularly scheduled CTAB Call:
- Tuesday, September 8, 2020